macOS Sonoma shows an icon in the menubar with "AltTab is sharing your screen"

[5cj]

Describe the bug

Alert on boot after updating to Sonoma Developer Beta (14.0):

Alert "AltTab" is using a deprecated API that will be removed in the future. Please contact the developer for an updated version.

Screenshots / video

Steps to reproduce the bug

1. Update to Sonoma Developer Beta
2. Start AltTab
3. Observe alert

Your environment

• AltTab version: Version 6.59.0
• macOS version: Sonoma Developer Beta (14.0)

[fifafu]

I was recently thinking about this, though: would it be less distracting if the icon was permanently there, rather than popping up intermittently? Maybe there could be an option to make the app continually make bogus API requests so the icon never goes away?

I think it defeats the whole purpose of this macOS security feature. If an a malicious app starts recording your screen, you will never notice, because the icon is anyway displayed around the clock on your device.

The purpose of this (admittedly) annoying icon is to alert the user that some app is recording a portion or the whole screen.

The right way to fix this is for apple to implement whitelisting. But unless the product of a major player (adobe, microsoft, google, etc.) is impacted, I don't see Apple implementing it.

As long as malicious apps can trivially overlay that icon with something else, this is not a security feature.

[Qhilm]

I disagree. Security is not black and white, it's layers of swiss cheese. The difficulty level to overlay something on this icon in a reliable manner will be significantly higher compared to "simply" capturing the screen.

It's akin to saying "because someone can walk into my DC, it's not worth putting up firewalls".

[fifafu]

No, completely disagree. Features like this give a false sense of security, at least if they are sold as security feature. People now believe they will know when something is capturing their screen. I have created a PoC that perfectly & reliably overlays that icon in 30 minutes last week (for my personal use). Any serious bad actor can do that in the same amount of time.

[Qhilm]

If it's really that easy, then I would tend to agree with you, it's not very useful and even rather detrimental. My understanding was that it was rather hard to reliably hide a menu bar item, as it shifts around depending on what is displayed in the menu bar...

[fifafu]

There are ways to control & fix the position of the item. (macOS allows you to move it via cmd+drag, and this position is saved in unsecured preference files) Even if there were not, if the malicious app has permission to record your screen, it can just get a livestream of the relevant area and analyze every frame. Searching a captured frame for that icon is really simple.

[user334]

So how has it been so far on 14.1/14.1.1/14.2? Does macOS still show this purple icon while using AltTab or not?

[mgc8]

So how has it been so far on 14.1/14.1.1/14.2? Does macOS still show this purple icon while using AltTab or not?

Just upgraded to 14.1.1 and it does happen, so far only noticed it with the Alt-Tab app. It comes up with a delay, usually a couple of seconds after pressing the keyboard shortcut, then disappears after another delay. Sometimes it goes away completely for a while, then comes back later out of the blue. It's very inconsistent, which makes it extremely annoying -- the purple thing screams in your peripheral vision while trying to do something different, interrupting thoughts and workflows.

I wish there was a way to just say "thanks, go away" or disable this misfeature completely, but alas big daddy Apple knows better :-/

[DownrightNifty]

I think it defeats the whole purpose of this macOS security feature. If an a malicious app starts recording your screen, you will never notice, because the icon is anyway displayed around the clock on your device.

Yes, I understand that. The proposed option would be disabled by default. If you are concerned about this, then you shouldn't enable the option. In my case, AltTab is the only app I've granted permission to access my screen, so there is no ambiguity when the icon displays. With the option enabled, you should view the "screen recording" permission the same way you did pre-Sonoma: it allows an app to record your screen in the background at any time without notification. If you want, you can temporarily provide access to an app (e.g. for a video call) and then revoke it when you're done.

The right way to fix this is for apple to implement whitelisting.

Yes, but we have little to no influence over what Apple does.

AltTab is a special case among apps that need screen recording permission; most only make use of that access intermittently, but AltTab accesses it constantly. Apple has failed to accommodate for this type of app when designing their security controls. Until they fix this, hacky workarounds are the only solution unfortunately.

Users will always have the ability to use an external tool for this; making the indicator constantly show is not an "exploit" in and of itself. You can download and use the example provided by fungiboletus right now if you want. Implementing it within AltTab just makes it easier and more memory-efficient.

[DownrightNifty]

I'm now on 14.1.1. My experience is similar to other reports here: the icon now mysteriously shows from time to time. Shows less often, but inconsistent. Still quite annoying.

But I noticed something interesting. Hammerspoon seems to be able to capture windows without tripping the indicator. I used the config provided by fungiboletus, which was designed specifically to make the indicator show, but it doesn't seem to ever appear on 14.1.1. I've even tried restarting the app and computer multiple times. They might be using an API that doesn't trip it somehow. This should be investigated.

Here's a minimal example:

i = 1

function captureWindow()
  local window = hs.window.frontmostWindow()
  local snapshot = window:snapshot()
  snapshot:saveToFile(string.format("/tmp/window%d.png", i))
  i = i + 1
end

captureWindow()
timer = hs.timer.doEvery(9, captureWindow)

You will see new window snapshots appear every 9 seconds in /tmp, without ever tripping the indicator.

Edit: Here's the code responsible for taking a screenshot: https://github.com/Hammerspoon/hammerspoon/blob/5f2212d015c96c287eb4f913348daed232eb217d/Hammerspoon/HSuicore.m#L611

It uses CGWindowListCreateImage().

[onurcagan]

Just checking in to see if there's any work on this as this is quite annoying. I can also look into this if @DownrightNifty's solution seems to be able to achieve what everyone wants.

[lwouis]

CGWindowListCreateImage is what we used to use before switching to the private API . Please see https://github.com/lwouis/alt-tab-macos/blob/9e03d5f6659f0bf2327712e1e70851267acf01c1/src/api-wrappers/CGWindowID.swift#L29

I would also be surprised it would not show the indicator. Or at least differ from other APIs like the one we use

[DownrightNifty]

@lwouis I compiled AltTab with those APIs swapped out and the indicator still shows up (inconsistently).

It's really weird that Hammerspoon doesn't trip the indicator at all though. I haven't gotten the time to do an in-depth investigation, but I figure it might have something to do with the frequency of the API calls?

Based on the tip from @fifafu that the code responsible for this is located in Control Center, I'd like to pop /System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter into Ghidra, if I get the time before school starts back up for me...

[DownrightNifty]

If you disable SIP, you could actually make patches to the ControlCenter binary to disable the indicator for AltTab, with root access. This of course opens up security vulnerabilities but if the indicator annoys you that bad, maybe it's worth it, I don't know. I probably wouldn't do it myself. (Though I have temporarily disabled SIP in the past to do dynamic analysis on macOS system binaries 😅.)

[DownrightNifty]

$ strings /System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter | grep "capturing your screen"
 is capturing your screen.

Just based on this basic smoke test, it seems very likely that this is indeed the binary responsible for the indicator :)

[SarcevicAntonio]

Not sure what happened, but I'm running macOS 14.2.1 and right now the indicator doesn't seem to appear anymore when using AltTab.

[Duc-NSH]

Not sure what happened, but I'm running macOS 14.2.1 and right now the indicator doesn't seem to appear anymore when using AltTab.

Hmm, it is weird, I am currently on 14.2.1 too but the indicator still appears occasionally

[lwouis]

As someone mentioned in that thread, i believe that Apple has patched their purple indicator over time.

It used to trigger exactly on usage of the APIs. Now it seems to trigger on a more complex logic. Probably some kind of heuristic to show it when an app does it the first time, but then only show it after a certain time if the app spam calls.

So in the case of AltTab, we see it only occasionally these days. This is what people here mostly wanted so i guess Apple improved things.

[aubreypwd]

If an app (like AltTab) needs to grab part of the screen (to generate a thumbnail for the selected window) it will report to macOS that it is recording your screen (because it is).

This is normal behavior.

Doesn't mean I like the big giant purple square Apple chose (a dot would have sufficed), but I am still shocked this is still an issue. Disable thumbnails to make it go away.

[DownrightNifty]

Disable thumbnails to make it go away.

I imagine for most people, myself included, the main appeal of the app is the thumbnails.

[DownrightNifty]

I found a way to allow user-specified apps to bypass the indicator without creating new security issues or disabling SIP, but unfortunately it's (tangentially) related to a security issue I reported to Apple, so I don't want to risk talking about it just yet. I'll post an update when I get a response from Apple. (The fix for this issue won't prevent the method I found from working.)

[mayeths]

Every month I check this thread for any new messages, and I still use MacOS 13.2 because of this. Disappointing to Apple for such a thing.

[DownrightNifty]

Hey all, Apple has unfortunately been quite slow to respond, so in the meantime I thought I would share another method of running AltTab without activating the indicator.

Paste this into Apple Terminal (not a third party terminal):

pkill AltTab; screen -dmS AltTab /Applications/AltTab.app/Contents/MacOS/AltTab

Then grant Terminal screen recording permission.

It's not automated, but it works for the time being. I'm still waiting on Apple and I'll provide a better solution when they get back to me.

[Duc-NSH]

Hey all, Apple has unfortunately been quite slow to respond, so in the meantime I thought I would share another method of running AltTab without activating the indicator.

Paste this into Apple Terminal (not a third party terminal):

pkill AltTab; screen -dmS AltTab /Applications/AltTab.app/Contents/MacOS/AltTab

Then grant Terminal screen recording permission.

It's not automated, but it works for the time being. I'm still waiting on Apple and I'll provide a better solution when they get back to me.

So by manually giving the screen recording permission via the terminal, the system does not indicate that anymore?

[caff2code]

I'll provide a better solution when they get back to me.

The one you provided already works perfectly, thank you! I wanted it to autostart with my mac so I made a alttab.command file and paste that in there (minus the pkill AltTab), then System preferences > Login items > + > alttab.command.

# alttab.command
screen -dmS AltTab /Applications/AltTab.app/Contents/MacOS/AltTab

.command is different to .sh, it will open in Apple's terminal always. Only minor caveat is you see the flash of a console window every reboot. But think of it as a reminder of the "good old days" of random background Windows command prompt flashes :)

As far as how it works, I guess Apple allows Apple's own apps to bypass the sharing icon, which is why, e.g. Screenshot.app doesn't activate it. Fingers crossed they don't remove it. I cannot see why they would do such a thing, because only advanced users would take advantage of this.

@lwouis Did you see this?

[conker-rsc]

Seconding the workaround - I added a startup trigger on BTT to execute the terminal command @Duc-NSH posted and it's been working perfectly. Thank you so much!

[arozbiz]

Does this disable the purple screen-recording notification icon or does it just keep it on permanently?

[conker-rsc]

Does this disable the purple screen-recording notification icon or does it just keep it on permanently?

It prevents the purple icon from showing up at all

[jckpn]

For anyone else who was getting a permissions error, you might need to modify the file with chmod 755 ~/alttab.command (or whatever path to your command file).

[lockieluke]

I have a script for auto starting AltTab:

1. Create a file at ~/Library/LaunchAgents/local.alttab.plist and paste this in:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
   <dict>
   <key>Label</key>
   <string>local.alttab</string>
   <key>ProgramArguments</key>
   <array>
       <string>/bin/sh</string>
       <string>-c</string>
       <string>/usr/bin/osascript $HOME/Scripts/alttab.scpt</string>
   </array>
   <key>RunAtLoad</key>
   <true/>
   </dict>
   </plist>

2. Make sure you turn off Launch at login in AltTab
3. Create a file at ~/Scripts/alttab.scpt and paste this in:

   tell application "Terminal"
   do script "screen -dmS AltTab /Applications/AltTab.app/Contents/MacOS/AltTab"
   delay 1.5
   if it is running then quit
   end tell

4. Run launchctl load ~/Library/LaunchAgents/local.alttab.plist to load the launch agent profile you just created
5. Logout and log back in, you might see the Terminal flash for a fraction of a second as it's starting AltTab but it should start working in a second

[phendan]

@lockieluke This solution doesn't seem to be working for me anymore. Is it still working for you, and if not, is there a new workaround?

[mikluko]

@lockieluke This solution doesn't seem to be working for me anymore. Is it still working for you, and if not, is there a new workaround?

Still working for me.

[mikluko]

Here is a bit improved version of @lockieluke's solution:

https://gist.github.com/mikluko/4618cc2f69bbb09d26d02f99a2897b66

How to use:

Boot out the existing launchd agent (if you have one):

launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/local.alttab.plist

Install the new launchd agent:

curl -sl https://gist.githubusercontent.com/mikluko/4618cc2f69bbb09d26d02f99a2897b66/raw/b0e949de3c0171d936af4e932db489881944639e/local.alttab.plist > ~/Library/LaunchAgents/local.alttab.plist
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/local.alttab.plist

[nendonerd]

I'll provide a better solution when they get back to me.

The one you provided already works perfectly, thank you! I wanted it to autostart with my mac so I made a alttab.command file and paste that in there (minus the pkill AltTab), then System preferences > Login items > + > alttab.command.

# alttab.command
screen -dmS AltTab /Applications/AltTab.app/Contents/MacOS/AltTab

.command is different to .sh, it will open in Apple's terminal always. Only minor caveat is you see the flash of a console window every reboot. But think of it as a reminder of the "good old days" of random background Windows command prompt flashes :)

As far as how it works, I guess Apple allows Apple's own apps to bypass the sharing icon, which is why, e.g. Screenshot.app doesn't activate it. Fingers crossed they don't remove it. I cannot see why they would do such a thing, because only advanced users would take advantage of this.

@lwouis Did you see this?

I'm using displaylink which also have this annoying flickering purple icon "xxx is recording" thing. I modify your code a bit, so that when the command finished running, the Terminal got killed. Also I have to specify the architecture else it will fail to execute. The app is a universal binary, I have no idea why I have to specify the architecture for it to run.

# displaylink.command
# System preferences > Login items > + > `displaylink.command`
screen -dmS displaylink arch -arm64 /Applications/DisplayLink\ Manager.app/Contents/MacOS/DisplayLinkUserAgent; killall Terminal

Also don't forget to make the file executable by chmod +x displaylink.command

[adamnovak]

@nendonerd's solution also works with the competing SiliconMotion InstantView application for their line of adapters, with the added caveat that you need to use the version of the app that lives in Application Support, which is the one that actually runs and does the capture. I tried to set up an AppleScript solution, but using Terminal.app seems to work better, because as soon as you export an AppleScript to something that can be a login item, it no longer gets to run as Script Editor.

# Add this as a login item
# Make sure Terminal is approved to do screen recording
screen -dmS instantview arch -arm64 "/Users/${USER}/Library/Application Support/InstantView/macOS InstantView.app/Contents/MacOS/macOS InstantView"
# Actually quit Terminal
# See <https://stackoverflow.com/a/22447960>
osascript -e "do shell script \"osascript -e \\\"tell application \\\\\\\"Terminal\\\\\\\" to quit\\\" &> /dev/null &\""

This is essential to prevent the screen recording icon from randomly flashing on and off as Apple's heuristics struggle to understand the concept of a userspace display adapter driver (the only allowed kind).

[jquick]

@nendonerd Does this work with the most recent 1.10+ version? Running manually via

/Applications/DisplayLink\ Manager.app/Contents/MacOS/DisplayLinkUserAgent

Errors with Setting DisplayLink Login Item to false FAILED and it starts kind of in a limited mode without permissions.